april 2011 working paper - mercatus center · and were likely meant to build artillery rockets.24...

working paperLOving the cyber bOmb? the dangers Of threat infLatiOn in cybersecurity pOLicy

By Jerry Brito and Tate Watkins

no. 11-24 april 2011

The ideas presented in this research are the authors’ and do not represent official positions of the Mercatus Center at George Mason University.

LOVING THE CYBER BOMB?

THE DANGERS OF THREAT INFLATION IN

CYBERSECURITY POLICY

Jerry Brito*& Tate Watkins

**

INTRODUCTION

Over the past two years there has been a steady drumbeat of alarmist

rhetoric coming out of Washington about potential catastrophic

cyberthreats. For example, at a Senate Armed Services Committee hearing

last year, Chairman Carl Levin said that ―cyberweapons and cyberattacks

potentially can be devastating, approaching weapons of mass destruction in

their effects.‖1 Proposed responses include increased federal spending on

cybersecurity and the regulation of private network security practices.

The rhetoric of ―cyber doom‖2 employed by proponents of increased

federal intervention, however, lacks clear evidence of a serious threat that

can be verified by the public. As a result, the United States may be

witnessing a bout of threat inflation similar to that seen in the run-up to the

Iraq War. Additionally, a cyber-industrial complex is emerging, much like

the military-industrial complex of the Cold War. This complex may serve to

not only supply cybersecurity solutions to the federal government, but to

drum up demand for them as well.

Part I of this article draws a parallel between today‘s cybersecurity

debate and the run-up to the Iraq War and looks at how an inflated public

conception of the threat we face may lead to unnecessary regulation of the

Internet. Part II draws a parallel between the emerging cybersecurity

establishment and the military-industrial complex of the Cold War and

*Senior Research Fellow, Mercatus Center at George Mason University. J.D., George

Mason University School of Law, 2005; B.A., Political Science, Florida International

University, 1999. The authors would like to thank Jerry Ellig, Jim Harper, Adam Thierer,

Dan Rothschild, and Richard Williams for their helpful comments on drafts of this article. **

Research Associate, Mercatus Center at George Mason University. M.A.,

Economics, Clemson University, 2008; B.A., Economics, Clemson University, 2007. 1Nominations of Vice Admiral James A. Winfield, Jr., and Lieutenant General Keith B.

Alexander Before the Senate Armed Services Committee, 111th

Congress, available

athttp://armed-services.senate.gov/Transcripts/2010/04%20April/10-32%20-%204-15-

10.pdf. 2Sean Lawson, Beyond Cyber Doom: Cyber Attacks and the Evidence of History,

(Mercatus Center at George Mason University working paper, 2011), available at

http://mercatus.org/sites/default/files/publication/beyond-cyber-doom-cyber-attack-

scenarios-evidence-history_1.pdf.

2 LOVING THE CYBER BOMB? [4-May-11

looks at how unwarranted external influence can lead to unnecessary federal

spending. Finally, Part III surveys several federal cybersecurity proposals

and presents a framework for analyzing the cybersecurity threat.

I. THREAT INFLATION, THE IRAQ WAR,

AND PARALLELS TO THE CYBER DEBATE

Threat inflation is a concept in political science that refers to ―the

attempt by elites to create concern for a threat that goes beyond the scope

and urgency that a disinterested analysis would justify.‖3 Different actors—

including members of Congress; defense contractors; journalists; policy

experts; academics; and civilian, military, and intelligence officials—will

each have their own motives for contributing to threat inflation. When a

threat is inflated, the marketplace of ideas on which a democracy relies to

make sound judgments—in particular, the media and popular debate—can

become overwhelmed by fallacious information.4 The result can be

unwarranted public support for misguided policies.

A. Run-Up to the Iraq War

The run-up to the Iraq War illustrates the dynamic of threat inflation.

After 9/11, the Bush Administration decided to invade Iraq to oust Saddam

Hussein.5 Lacking any clear casus belli, the administration sought popular

and congressional support for war by promoting several rationales that

ultimately proved baseless.6

3JANE K. CRAMER &A. TREVOR THRALL, Framing Iraq: threat inflation in the

marketplace of values, inAMERICAN FOREIGN POLICY AND THE POLITICS OF FEAR174, 1 (A.

Trevor Thrall & Jane K. Cramer, eds., 2009). 4Id. at 1; A. TREVOR THRALL, Understanding Threat Inflation, inAMERICAN FOREIGN

POLICY AND THE POLITICS OF FEAR 174, (A. Trevor Thrall & Jane K. Cramer, eds. 2009). 5Joel Roberts, Plans For Iraq Attack Began On 9/11, CBS NEWS, Sept. 4, 2002, at

http://www.cbsnews.com/stories/2002/09/04/september11/main520830.shtml (noting that

Defense Secretary Donald Rumsfeld told aides to draw plan for an attack on Iraq hours

after the 9/11 attack on the Pentagon). RICHARD A. CLARKE, AGAINST ALL ENEMIES 30-31

(2004) (explaining that during response planning meetings on September 12, Rumsfeld and

other high-level officials advocated an attack on Iraq despite a lack of evidence to suggest a

connection to the 9/11 attacks). 6For an overview of false and misleading administration claims leading to the Iraq

War, see generallyChaim Kaufmann, Threat Inflation and the Failure of the Marketplace

of Ideas: The Selling of the Iraq War, 29 INT‘L SECURITY5 (2004); James P. Pfiffner, Did

President Bush Mislead the Country in His Arguments for War with Iraq?, 34

PRESIDENTIAL STUD. Q. 25, 26 (2004); Murray Waas, Prewar Intelligence: Insulating

Bush,NAT‘L J., Mar. 30, 2006, at XX; JOSEPH CIRINCIONE ET AL., WMD IN IRAQ:

EVIDENCE AND IMPLICATIONS,(Carnegie Endowment for International Peace, 2004); U.S.

Senate Select Committee on Intelligence, Report on Whether Public Statements Regarding

4-May-11] Brito& Watkins 3

First, the administration implied that the Iraqi regime was connected to

the terrorist attacks of 9/11.7 In a major speech outlining the Iraqi threat in

October of 2002, President Bush stated that Iraq and al Qaeda had

longstanding links, and that Iraq had provided training and medical

treatment to members of al Qaeda.8 Vice President Cheney on various

occasions made the claim that 9/11 hijacker Mohamed Atta had met with an

Iraqi official in Prague in 2001.9 Defense Secretary Donald Rumsfeld called

evidence of the link ―bulletproof,‖ and Condoleezza Rice echoed those

claims.10

We now know that there was no solid evidence for those statements.11

For one thing, al Qaeda, under the direction of Osama Bin Laden, was a

fundamentalist Muslim organization that despised the secular government

of Saddam Hussein.12

More specifically, investigations by the FBI, CIA,

and the U.N. concluded that these links did not exist.13

Mohamed Atta, for

example, was in Florida at the time the alleged Prague meeting took place.14

President Bush ultimately admitted that he ―had no evidence that

Saddam Hussein was involved with September 11th,‖ but he did so only

after the war had commenced.15

As late as 2006, however, over 40 percent

of Americans still said they believed Saddam Hussein was ―personally‖

involved in the 9/11 attacks.16

Second, the administration also sought to make the case that Iraq

threatened its neighbors and the United States with weapons of mass

Iraq by U.S. Government Officials Were Substantiated by Intelligence Information,S. REP.

110- (2008), available athttp://intelligence.senate.gov/080605/phase2a.pdf; Senate Select

Committee on Intelligence, Report on Intelligence Activities Relating to Iraq Conducted by

the Policy Counterterrorism Evaluation Group and the Office of Special Plans Within the

Office of the Under Secretary of Defense for Policy, S. REP. 110- (2008), available

athttp://intelligence.senate.gov/080605/phase2b.pdf. 7James P. Pfiffner, Did President Bush Mislead the Country in His Arguments for War

with Iraq?, 34 PRESIDENTIAL STUD. Q. 25, 26 (2004). 8 President George W. Bush, Remarks by the President on Iraq (Oct. 7, 2002)

available at http://georgewbush-

whitehouse.archives.gov/news/releases/2002/10/20021007-8.html. 9Pfiffner, supra note 7, at 26-27.

10 Eric Scmitt, Rumsfeld Says U.S. Has 'Bulletproof' Evidence of Iraq's Links to Al

Qaeda, N.Y. Times, Sept. 28, 2002, at XX. 11

Pfiffner, supra note 7, at 27. 12

Id. at 26. 13

Id. at 27. 14

NATIONAL COMMISSION ON TERRORIST ATTACKS UPON THE UNITED STATES, THE

9/11 COMMISSION REPORT, 228. 15

Pfiffner, supra note 7, at n.13. 16

CNN, Poll: Iraq war could wound GOP at polls (Sept. 6, 2006), available at

http://articles.cnn.com/2006-09-06/politics/iraq.poll_1_iraq-war-sampling-error-poll-

results-show?_s=PM:POLITICS.


destruction (WMD). By framing the issue in terms of WMD, the

administration was conflating the threat from nuclear, biological, and

chemical weapons.17

While no doubt terrible, the destructive power of

biological and chemical weapons is tiny next to that of a nuclear

detonation.18

Conflating these threats, however, allowed the administration

to link the unlikely but serious threat of nuclear weapons to the more likely

but less serious threat posed by biological and chemical weapons.19

The president, vice president, and senior members of the administration

made the claim that Iraq was close to acquiring nuclear weapons.20

They

made these claims without providing any verifiable evidence. The evidence

they did provide—Iraq‘s alleged pursuit of uranium ―yellowcake‖ from

Niger and its purchase of aluminum tubes allegedly meant for uranium

enrichment centrifuges—were ultimately determined to be unfounded.21

The administration was also aware at the time that the evidence it was

presenting was problematic. The CIA had investigated the claim that Iraq

had attempted to buy yellowcake in Niger and had concluded that it was

false.22

Weeks before the invasion, it was revealed that the documents on

which the claim had been predicated were forgeries.23

Similarly, technical

experts at the Department of Energy had concluded that the aluminum tubes

that had been purchased by Iraq were not suitable for uranium enrichment

and were likely meant to build artillery rockets.24

Despite the lack of verifiable evidence to support the administration‘s

claims, the news media tended to report them unquestioned.25

The initial

reporting on the aluminum tubes claim, for example, came in the form of a

front page New York Times article by Judith Miller and Michael Gordon

17


See Wolfgang K. H. Panofsky, Dismantling the Concept Of “Weapons of Mass

Destruction”, ARMS CONTROL TODAY, Apr. 1998, at XX. See alsoKENNETH M. POLLACK,

THE THREATENING STORM 179 (2002), cited in Pfiffner, supra note 7, at n.14. 19

For example, Vice President Cheney was able to make statements such as, ―Many of

us are convinced that Saddam will acquire nuclear weapons fairly soon. . . . There is no

doubt he is amassing [WMD] to use against our friends, against our allies, and against us.‖


Id. 21

Pfiffner, supra note 7, at 30-36; Barton Gellman & Walter Pincus, Depiction of

Threat Outgrew Supporting Evidence, WASH. POST, August 10, 2003, at A1. 22

Pfiffner, supra note 7, at 31-32; Joseph C. Wilson IV, What I Didn’t Find in Africa,

N.Y. TIMES, July 6, 2003, at XX. 23


Id. at 35-36. 25

Michael Massing, Now They Tell Us, N.Y. REV. BOOKS, Feb. 26, 2004, at XX;

CALVIN F. EXOO, THE PEN AND THE SWORD: PRESS, WAR, AND TERROR IN THE 21ST

CENTURY XX (2010).


that relied entirely on anonymous administration sources.26

The article gave

the impression that there was consensus that the tubes were meant for

uranium enrichment.27

Later reporting by Miller and Gordon noted that, in

fact, there were dissenting opinions on the purpose of the tubes among

government experts.28

However, they were quick to dismiss those views,

citing ―other, more senior, officials‖ who insisted that the skeptics

represented a minority view.29

One reason why the New York Times reports have been criticized so

strongly is that they were later cited by the administration in making its case

for war.30

Appearing on Meet the Press, Vice President Cheney answered a

question about evidence of a reconstituted Iraqi nuclear program by stating:

There‘s a story in The New York Times this morning—this is—I don‘t—

and I want to attribute The Times. I don‘t want to talk about, obviously,

specific intelligence sources, but it‘s now public that, in fact, [Saddam

Hussein] has been seeking to acquire, and we have been able to intercept and

prevent him from acquiring through this particular channel, the kinds of tubes

that are necessary to build a centrifuge.31

This meant that the administration was able to cite its own leak—with the

added imprimatur of the Times—as a rationale for war.

Miller, who was criticized after the invasion for her credulous reporting,

has defended herself by stating that as a reporter, ―my job isn‘t to assess the

government‘s information and be an independent intelligence analyst

myself. My job is to tell readers of The New York Times what the

government thought about Iraq‘s arsenal.‖32

This view of reporting as mere

conduit for anonymous administration officials is dangerous because it can

serve to give the endorsement of an independent media on controlled leaks

by government insiders.33

Most members of Congress similarly took the administration at its word

and were uncritical of the evidence underpinning the rationales for war. As

Ronald R. Krebs and Jennifer Lobasz write,

26

Michael R. Gordon & Judith Miller, U.S. Says Hussein Intensifies Quest For A-Bomb

Parts, N.Y. TIMES, Sept. 8, 2002, at A1; Massing, supra note 25, at XX. 27

Id. 28

Id. 29

Massing, supra note 25, at XX. 30

MICHAEL ISIKOFF& DAVID CORN, HUBRIS 33-34 (2006). 31

Transcript of Interview with VicePresident Dick Cheney on Meet the Press, Sept. 8,

2002, available at http://www.mtholyoke.edu/acad/intrel/bush/meet.htm. 32

Massing, supra note 25, at XX. 33

Massing, supra note 25, at XX (noting that Cheney, Rice, and others pointed to the

New York Times report as evidence of WMD).


A large and critical group of Democrats, whose national profiles might

have bolstered the opposition to war, shied away from criticizing the popular

president leading the War on Terror: while a handful jumped enthusiastically

on the Iraq bandwagon, many others quietly favored invasion or at most

criticized unilateral action.34

While there are competing theories why it may have been the case,35

the

fact is that our system of checks and balances failed to test the evidence of a

serious threat from Iraq.

B. Cyber Threat Inflation

Over the past two years, there has been a drive for increased federal

involvement in cybersecurity. This drive is evidenced by the introduction of

several comprehensive cybersecurity bills in Congress,36

the initiation of

several regulatory proceedings related to cybersecurity by the Federal

Communications Commission and Commerce Department,37

and increased

coverage of the issue in the media.38

The official consensus seems to be that

the United States is facing a grave and immediate threat that only quick

federal intervention can address.39

This narrative has gone largely

34

Ronald R. Krebs & Jennifer Lobasz, The sound of silence: rhetorical coercion,

democratic acquiescence, and the Iraq War, inAMERICAN FOREIGN POLICY AND THE

POLITICS OF FEAR 174 (A. Trevor Thrall & Jane K. Cramer, eds., 2009) 117, 123. 35

Id. at 120. 36

See, e.g.,Cybersecurity Act of 2009, S. 773, 111th Cong. (2009) & Protecting

Cybersecurity as a National Asset Act of 2010, S. 3480, 111th Cong. (2010). 37

See, e.g., Federal Communications Commission National Broadband Plan, Chapter

16: Public Safety, released March 16, 2010, available at

http://download.broadband.gov/plan/national-broadband-plan-chapter-16-public-safety.pdf;

Federal Communications Commission Notice of Inquiry on Proposed Cyber Security

Certification Program for Communications Service Providers, released April 21, 2010,

available at http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-10-63A1.pdf; Federal

Communications Commission Public Notice on Cybersecurity Roadmap, September 23,

2010, available at http://hraunfoss.fcc.gov/edocs_public/attachmatch/DA-10-1354A1.pdf;

Department of Commerce Notice of Inquiry on Cybersecurity, Innovation, and the Internet

Economy, July 28, 2010, available at

http://www.nist.gov/itl/csd/upload/Cybersecurity_NOI_0722101.pdf. 38

Google trends, ―cybersecurity,‖ GOOGLE, March 18, 2011, at

http://www.google.com/trends?q=cybersecurity&ctab=0&geo=us&date=all&sort=0. 39

For example, in a letter to President Obama last year, seven Senators note that

―Threats to cyberspace pose one of the most serious economic and national security

challenges of the 21st Century‖ and write that ―We believe that there is an urgent need for

action to address these vulnerabilities by the Administration, by Congress, and by the array

of entities affected by cyber threats.‖ Sens. Harry Reid, Patrick Leahy, Carl Levin, John

Kerry, John Rockefeller, Joseph Lieberman, and Dianne Feinstein, Letter to the President

of the United States, July 1, 2010, available at

http://fcw.com/blogs/cybersecurity/2010/07/~/media/GIG/GIG_Shared_PDF_Library/Edit


unchallenged by members of Congress or the press, and it has inflated the

threat.

There is very little verifiable evidence to substantiate the threats

claimed, and the most vocal proponents of a threat engage in rhetoric that

can only be characterized as alarmist. Cyber threat inflation parallels what

we saw in the run-up to the Iraq War.

1. The CSIS Commission Report

One of the most widely cited arguments for increased federal

involvement in cybersecurity can be found in the report of the Commission

on Cybersecurity for the 44th Presidency.40

The Commission was convened

by the Center for Strategic and International Studies (CSIS), a Washington

think tank focused on foreign policy and defense. It was chaired by two

members of Congress and composed of representatives of the IT industry,

security consultants, academics, and former government officials.41

Beginning in February 2008, the Commission acted as a self-appointed

transition team for whoever the next president would be. It held a series of

open and closed-door meetings, received classified briefings from

government officials,42

and in December issued its report warning that

―cybersecurity is now a major national security problem for the United

States,‖43

and recommending that the federal government ―regulate

cyberspace.‖44

In its report, the Commission makes assertions about the nature of the

threat, such as, ―America‘s failure to protect cyberspace is one of the most

urgent national security problems facing the new administration that will

take office in January 2009. It is . . . a battle fought mainly in the shadows.

It is a battle we are losing.‖45

Unfortunately, the report provides little

evidence to support such assertions. There is a brief recitation of various

instances of cyber-espionage conducted against government computer

orial%20PDFs/Letter_President_Cyber_Security070110.ashx.

40 CSIS Commission on Cybersecurity for the 44th Presidency, Securing Cyberspace

for the 44th Presidency (December 2008) [hereinafter Commission Report]. Eric Chabrow,

Cyber Commission Has a Hard Act to Follow, GOVINFOSECURITY.COM, Aug. 4, 2010

(noting that the Commission Report is highly regarded and has ―served as the basis for

President Obama‘s Cyberspace Policy Review and key cybersecurity bills before

Congress.‖). 41

Commission Report appendix A. 42

Id. Appendix C. 43

Id. at 1. 44

Id. at 2. 45

Id. at 11.


systems.46

However, it does not put these cases in context, nor does it

explain how these particular breaches demonstrate a national security crisis,

or that ―we are losing.‖

The report notes that Department of Defense computers are ―probed

hundreds of thousands of times each day.‖47

This is a fact that proponents of

increased federal involvement in cybersecurity often cite as evidence for a

looming threat.48

However, probing and scanning networks are the digital

equivalent of trying doorknobs to see if they are unlocked—a maneuver

available to even the most unsophisticated would-be hackers.49

The number

46

Id. at 13. 47

Id. at 12. We should note that evidence presented in support of regulation of private

networks is often that of attacks perpetrated upon government systems. In our view this

improperly conflates the two spheres. 48

For example, while defending a cybersecurity bill that he co-sponsored, Sen. Joseph

Lieberman claimed that the Internet was ―constantly being probed by other countries for

weaknesses,‖ ―Liberman Dismisses Concerns Over Internet Bill,‖ THE WALL STREET

JOURNAL, Jun. 20, 2010, available at

http://blogs.wsj.com/washwire/2010/06/20/lieberman-dismisses-concerns-over-internet-

bill/tab/print/; U.S. Deputy Secretary of Defense William Lynn III wrote in Foreign

Affairs, ―Over the past ten years, the frequency and sophistication of intrusions into U.S.

military networks have increased exponentially. Every day, U.S. military and civilian

networks are probed thousands of times and scanned millions of times.‖ William J. Lynn

III, ―Defending a New Domain,‖ FOREIGN AFFAIRS, September/October 2010, available at

http://www.foreignaffairs.com/print/66687; when asked how often federal networks are

targeted or probed each day, Rep. Adam Smith of Washington replied, ―North of a million

times,‖ Joel Connelly, ―Cyber attacks: The next big security threat?,‖ SEATTLEPI, April 11,

2010, available at http://www.seattlepi.com/default/article/Cyber-attacks-The-next-big-

security-threat-891683.php; and Robert Lentz, chief information assurance officer for the

Department of Defense, has said that Defense Department networks are probed 360 million

times each day, Declan McCullagh, ―NSA chief downplays cybersecurity power grab

reports,‖ CNET, April 21, 2009, available at http://news.cnet.com/8301-13578_3-

10224579-38.html. 49

For example, in response to claims that U.S. networks have been penetrated by

―cyberwarriors from ‗hostile powers,‘‖ security expert Marcus Ranum notes that ―all

websites are constantly probed for weaknesses by robotic worms, spammers, hackers, and

maybe even a government agent or two.‖ Marcus Ranum, ―Cyberwar Rhetoric Is Scarier

Than Threat of Foreign Attack,‖ Mar. 29, 2010, available at

http://www.usnews.com/opinion/articles/2010/03/29/cyberwar-rhetoric-is-scarier-than-

threat-of-foreign-attack_print.html; EvgenyMorozov, visiting scholar in the Liberation

Technology Program at Stanford University, notes that the claim that U.S. networks are

probed is ―so vague that even some of the most basic attacks available via the Internet—

including those organized by ‗script kiddies,‘ or amateurs who use scripts and programs

developed by professional hackers—fall under this category.‖ EvgenyMorozov, ―Battling

the Cyber Warmongers,‖ THE WALL STREET JOURNAL, May 8, 2010, available at

http://online.wsj.com/article/SB10001424052748704370704575228653351323986.html.

See also,Sean Lawson, Just How Big Is The Cyber Threat To The Department Of Defense?,

FORBES: THE FIREWALL, Jun. 4, 2010, available at

http://blogs.forbes.com/firewall/2010/06/04/just-how-big-is-the-cyber-threat-to-dod.


of times a computer network is probed is not evidence of an attack or a

breach, or a even of a problem.50

More ominously, the report states that

Porous information systems have allowed opponents to map our

vulnerabilities and plan their attacks. Depriving Americans of electricity,

communications, and financial services may not be enough to provide the

margin of victory in a conflict, but it could damage our ability to respond and

our will to resist. We should expect that exploiting vulnerabilities in cyber

infrastructure will be part of any future conflict.‖51

An enemy able to take down our electric, communications, and financial

networks at will could be a serious national security threat. And it may well

be the case that the state of security in government and private networks is

deplorable. But the CSIS report advances no reviewable evidence to

substantiate this supposed threat. There is no evidence in the report that

opponents have ―mapped vulnerabilities‖ and ―planned attacks.‖ The

probing of DoD computers and the specific cases of cyber espionage that

the report cites do not bear on the probability of a successful attack on the

electrical grid.

Nevertheless, the Commission report and the cybersecurity bills it

inspired prescribe regulation of the Internet. The report asserts plainly: ―It is

undeniable that an appropriate level of cybersecurity cannot be achieved

without regulation, as market forces alone will never provide the level of

security necessary to achieve national security objectives.‖52

But without

any verifiable evidence of a threat, how is one to know what exactly is the

―appropriate level of cybersecurity‖ and whether market forces are

providing it? How is one to judge whether the recommendations that make

up the bulk of the Commission‘s report are necessary or appropriate?

Although never clearly stated, the implication seems to be that the

report‘s authors are working from classified sources, which might explain

the dearth of verifiable evidence.53

To its credit, the Commission laments

what it considers the ―overclassification‖ of information related to

cybersecurity.54

But this should not serve as an excuse. If our past

experience with threat inflation teaches us anything, it is that we cannot

accept the word of government officials with access to classified

information as the sole source of evidence for the existence or scope of a

threat. The watchword is ―trust but verify.‖ Until those who seek regulation

50

Id. 51

Commission Report at 13. 52

Id. at 50. 53

E.g., id.at 12 & 13, citing unnamed government officials and alleged espionage. 54

Id. at 27-28.


can produce clear reviewable evidence of a threat, we should discount

assertions such as ―The evidence is both compelling and overwhelming,‖55

and, ―This is a strategic issue on par with weapons of mass destruction and

global jihad.‖56

2. Cyber War

While the CSIS Commission report may be one of the most cited

documents suggesting that we face a grave cyber threat requiring an

immediate federal response, the most popular brief for this view is the 2010

bestselling book Cyber War.57

In it, former presidential cybersecurity

advisor Richard A. Clarke and Council on Foreign Relations fellow Richard

K. Knake make the case that the United States and its infrastructure is

extremely vulnerable to military cyber attack by enemy states. They offer a

set of recommendations that includes increased regulation of Internet

service providers (ISPs) and electrical utilities.58

Clarke and Knake are clear about the threat they foresee. ―Obviously,

we have not had a full-scale cyber war yet,‖ they write, ―but we have a good

idea what it would look like if we were on the receiving end.‖59

The picture

they paint includes the collapse of the government‘s classified and

unclassified networks, refinery fires and explosions in cities across the

country, the release of ―lethal clouds of chlorine gas‖ from chemical plants,

the midair collision of 737s, train derailments, the destruction of major

financial computer networks, suburban gas pipeline explosions, a

nationwide power blackout, and satellites in space spinning out of control.60

They explain somberly about the scene:

Several thousand Americans have already died, multiples of that number

are injured and trying to get to hospitals. . . . In the days ahead, cities will run

out of food because of the train-system failures and the jumbling of data at

trucking and distribution centers. Power will not come back up because

nuclear plants have gone into secure lockdown and many conventional plants

have had their generators permanently damaged. High-tension transmission

lines on several key routes have caught fire and melted. Unable to get cash

from ATMs or bank branches, some Americans will begin to loot stores. . . .

In all the wars America has fought, no nation has ever done this kind of

damage to our cities. A sophisticated cyber war attack by one of several

nation-states could do that today, in fifteen minutes, without a single terrorist

55

Id. at 13. 56

Id. at 15. 57

RICHARD A. CLARKE & ROBERT K. KNAKE, CYBER WAR (2010). 58

Id. at 134 & 137. 59

Id. at 64. 60

Id. at 66-67.


or soldier appearing in this country.61

According to Clarke and Knake, that is the threat we face unless the

federal government takes immediate action. Readers of their bestselling

book would no doubt be as frightened at the prospect of a cyber attack as

they might have been at the prospect of Iraq passing nuclear weapons to al

Qaeda. Yet Clarke and Knake assure us, ―These are not hypotheticals.‖62

Unfortunately, they present little, if any, evidence.63

The only verifiable evidence they present to support the possibility of a

cyber doomsday relates to several well-known distributed denial of service

(DDOS) attacks. A DDOS attack works by flooding a server on the Internet

with more requests that it can handle, thereby causing it to malfunction. For

example, the web server that hosts www.gmu.edu has a certain limited

bandwidth and processing capacity with which to serve George Mason

University‘s home page to visitors.64

If several dozen persons were

browsing university web pages and simultaneously requested GMU‘s

homepage, the server would likely perform perfectly well. However, if the

server encountered a hundred thousand requests for the home page every

second, it would be overwhelmed and would likely shut down.

A person carrying out a DDOS attack will almost certainly employ a

botnet to cause the massive flood of requests on the attacked server. A

botnet is a network of computers that have been compromised without their

users‘ knowledge, usually through a computer virus.65

The attacker

remotely controls these computers and commands them to carry out the

attack.66

Experts have estimated that over 25 percent of personal computers

are compromised and form part of a botnet.67

Clarke and Knake point to several well-known DDOS attacks as

evidence of a threat. Specifically, they cite attacks on Estonia in 2007 and

61

Id. at 67-68. 62

CLARKE &KNAKE, supra note 57, at 70. 63

Apart from the sorry state of the evidence they do present, the book does not have

footnotes, bibliography, or even an index. 64

Different organizations will secure different capacities depending on the traffic they

receive. The New York Times or Amazon.com, for example, would secure much more

capacity than George Mason University for their web servers. 65

Michel van Eeten& Johannes M. Bauer, Emerging Threats to Internet Security:

Incentives, Externalities and Policy Implications, 17 J. OF CONTINGENCIES & CRISIS MGT.

221, 222 (2009). 66

Id. 67

See Tim Weber, BBC NEWS, Criminals ‗may overwhelm the web‘, Jan. 25, 2007

(Quoting several computer experts suggesting that up to a quarter of computers may part of

a botnet) available at http://news.bbc.co.uk/2/hi/business/6298641.stm; Byron Acohido&

Jon Swartz, Botnet scams are exploding, USA TODAY, March 16, 2008, at XX (quoting

experts suggesting that up to 40% of computers are part of a botnet).


Georgia in 2008, both suspected by many to have been coordinated by

Russia.68

They also mention an attack on U.S. and NATO websites after the

1999 accidental bombing of the Chinese embassy in Belgrade,69

and a July

4, 2009 attack on U.S. and South Korean websites widely attributed to

North Korea.70

These reputedly state-sponsored attacks, along with the

hundreds of thousands of other DDOS attacks by criminals and vandals

seen each year,71

are evidence of the sorry state of consumer computer

security and of how vulnerable publicly accessible servers can be. They are

not, however, evidence of the type of capability necessary to derail trains,

release chlorine gas, or bring down the power grid.

The authors admit that a DDOS attack is often little more than a

nuisance.72

The 1999 attack saw websites temporarily taken down or

defaced, but ―did little damage to U.S. military or government

operations.‖73

Similarly, the 2009 attacks against the United States and

South Korea caused several government agency websites, as well as the

websites of NASDAQ, NYSE, and the Washington Post to be intermittently

inaccessible for a few hours, but did not threaten the integrity of those

institutions.74

In fact, Clarke points out that the White House‘s servers were

able to easily deflect the attack thanks to the simple technique of ―edge

caching,‖ which he had arranged as cybersecurity coordinator.75

Without any formal regulation mandating that it be done, the affected

agencies and businesses worked with Internet service providers to filter out

the attacks.76

Once the attackers realized they were no longer having an

effect, the attacks stopped.77

Georgia similarly addressed attacks on its

websites by moving them to more resilient servers hosted outside of the

country.78

68

CLARKE &KNAKE, supra note 57, at 13, 15, & 18-20. 69

Id. at 54-55. 70

Id. at 24-25. 71

Network security firm Arbor Networks‘ worldwide systems measured more than

300,000 ―DDOS events‖ in 2010. Email from Jose Nazario, Senior Manager of Security

Research, Arbor Networks (Jan. 4, 2011). 72

CLARKE &KNAKE, supra note 57, at 55 73

Id. at 55. 74

Id. at 24-25 (―The attack did not attempt to gain control of any government systems,

nor did it disrupt any essential services.‖); Choe Sang-Hun & John Markoff, Cyberattacks

Jam Government and Commercial Web Sites in U.S. and South Korea, N.Y. TIMES, July 9,

2009, at A4 (noting that the attacks ―was relatively minor, and all but two of the sites were

fully functional within a few hours‖). 75

CLARKE &KNAKE, supra note 57, at 24-25. 76

Id. at 25. 77

Id. 78

CLARKE &KNAKE, supra note 57, at 19. Clarke and Knake also mention that

banking, settlement, and mobile phone systems were disrupted by DDOS. Id. at 20.


Clarke and Knake recognize that DDOS is an unsophisticated and

―primitive‖ form of attack that would not pose a major threat to national

security.79

Nevertheless, reference to DDOS attacks make up the bulk of the

verifiable evidence they present. They assert, however, that the reason we

have no verifiable evidence of a greater threat is that ―attackers did not want

to reveal their more sophisticated capabilities, yet.‖80

Specifically referring

to the Georgian and Estonian episodes, they write that ―[t]he Russians are

probably saving their best cyber weapons for when they really need them, in

a conflict in which NATO and the United States are involved.‖81

The

implication is eerily reminiscent of the suggestion before the invasion of

Iraq that although we lacked the type of evidence of WMD that might lead

us to action, we would not want ―the smoking gun to be a mushroom

cloud.‖82

Clarke and Knake have no proof to corroborate the type of

vulnerabilities that could pose a serious national security risk. For example,

one of the threats they identify as most serious is a sustained nationwide

power outage.83

The evidence they offer is either not reviewable or easily

debunked.

To show that the electrical grid is vulnerable, they suggest that the

Northeast power blackout of 2003 was caused in part by the ―Slammer‖

worm, which had been spreading across the Internet around that time.84

However, the final report of the joint U.S.–Canadian task force that

investigated the blackout explained clearly in 2004 that no virus, worm, or

other malicious software contributed to the power failure.85

Clarke and

Knake also point to a 2007 blackout in Brazil, which they believe was the

However, there is no footnote or other verifiable reference and Internet searches have

returned no mention of phone system malfunction. Additionally, the in-depth post-incident

report released by NATO does not mention such a malfuntion. SeeNATO COOPERATIVE

CYBER DEFENCE CENTRE OF EXCELLENCE, CYBER ATTACKS AGAINST GEORGIA:

LEGAL LESSONS IDENTIFIED (Nov. 2008), available at

http://www.carlisle.army.mil/DIME/documents/Georgia%201%200.pdf. 79

CLARKE &KNAKE, supra note 57, at 30, 55, 103, 191 & 257. 80

Id. at 31. 81

Id. at 21. 82



Id. at 99. 85

U.S.-CANADA POWER SYSTEM OUTAGE TASK FORCE, FINAL REPORT ON THE AUGUST

14, 2003 BLACKOUT IN THE UNITED STATES AND CANADA: CAUSES AND

RECOMMENDATIONS (Apr. 2004), 133, available

athttps://reports.energy.gov/BlackoutFinal-Web.pdf. The cause of the blackout was

ultimately attributed to, among other things, overgrown trees making contact with power

lines, which contributed to a cascading failure. Id. at 57-64.


result of criminal hacking of the power system.86

However, separate

investigations by the utility company involved, Brazil‘s independent

systems operator, and the energy regulator all concluded that the power

failure was the result of soot and dust deposits on high voltage insulators on

transmission lines.87

Given the weakness of the public evidence they offer, it is difficult to

trust the evidence Clarke and Knake present based on anonymous sources.

Specifically, they write that countries such as China have ―laced U.S.

infrastructure with logic bombs.‖88

That is, that hackers have penetrated

into the control systems of utilities, including the electrical grid, and left

behind computer programs that can later be triggered remotely to cause

damage.89

Depending on the scope of the intrusions and which systems are

compromised, this could pose a serious threat. However, Clarke and Knake

present only suppositions, not evidence.

We are told that ―America‘s national security agencies are now getting

worried about logic bombs, since they seem to have found them all over our

electric grid,‖90

and that ―[enemies] have probably done everything short of

a few keystrokes of what they would do in real cyber war.‖91

This is

speculation.

The notion that our power grid, air traffic control system, and financial

networks are rigged to blow at the press of a button would be terrifying if it

were true. But fear should not be a basis for public policy making. We

learned after the invasion of Iraq to be wary of conflated threats and flimsy

evidence. If we are to pursue the type of regulation of Internet service

providers and utilities that Clarke and Knake advocate, we should demand

more precise evidence of the threat against which we intend to guard, and of

the probability that such a threat can be realized.

Clarke and Knake lament their position when they write, ―How do you

convince someone that they have a problem when there is no evidence you

can give them?‖92

Like the CSIS Commission, they recognize that there is

86


Marcelo Soares, Brazilian Blackout Traced to Sooty Insulators, Not Hackers,

WIRED: THREAT LEVEL, Nov. 9, 2009, at

http://www.wired.com/threatlevel/2009/11/brazil_blackout.Days after the 60 Minutes

broadcast, Brazil was hit with another blackout, but a secret State Department cable

released by Wikileaks shows that the U.S. embassy in Brasilia determined that it too was

not the work of hackers. Brian Krebs, Cable: No Cyber Attack in Brazilian ’09 Blackout,

KREBS ON SECURITY, Dec. 3, 2010, at http://krebsonsecurity.com/2010/12/cable-no-cyber-

attack-in-brazilian-09-blackout. 88

CLARKE &KNAKE, supra note 57, at 54, 59, & 62. 89

Id. at 92. 90

Id. at 92 (emphasis added). 91

Id. at 191 (emphasis added). 92

Id. at 123.


insufficient public debate because much of the information about the state

of cybersecurity is classified.93

Citizens should trust but verify, and that will

require declassification and a more candid, on-the-record discussion of the

threat by government officials.

3. The Media and Other Experts

Much as in the run-up to the Iraq War, some in the media may be

contributing to threat inflation by reporting the alarmist view of a possible

threat in a generally uncritical fashion. For example, while Clarke and

Knake‘sCyber War has been widely criticized in the security trade press,94

the popular media took the book at its word. Writing in the Wall Street

Journal, Mort Zuckerman warned that enemy hackers could easily ―spill

oil, vent gas, blow up generators, derail trains, crash airplanes, cause

missiles to detonate, and wipe out reams of financial and supply-chain

data.‖95

The sole source for his column, and for his recommendation that

the federal government establish a federal cybersecurity agency to regulate

private networks, was Clarke‘s ―revealing‖ book.96

The New York Times‘s review was also approving, sweeping aside

skepticism of the book‘s doomsday scenarios by noting that Clarke, who

had previously warned the Bush and Clinton administrations about the

threat from al Qaeda before 9/11, had been right in the past.97

The review

also noted that the Wall Street Journal had recently reported that the power

grid had been penetrated by Chinese and Russian hackers and laced with

logic bombs, as Clarke and Knake had contended.98

That front page Wall Street Journal article from April 2009 is often

cited as evidence for the proposition that the power grid is rigged to blow,

but it could just as easily be cited as an example of ―mere conduit‖

93

Id. at 262. 94

See, e.g., Bruce Schneier, Book Review: Cyber War, SCHNEIER ON SECURITY, Dec.

21, 2009, at http://www.schneier.com/blog/archives/2010/12/book_review_cyb.html; Ryan

Singel, Richard Clarke‘s Cyberwar: File Under Fiction, WIRED: THREAT LEVEL, Apr. 22,

2010, at http://www.wired.com/threatlevel/2010/04/cyberwar-richard-clarke; Mike

Masnick, Dear Journalists: There Is No Cyberwar, TECHDIRT, Apr. 9, 2010, at

http://208.53.48.36/articles/20100407/1640278917.shtml. 95

Mortimer Zuckerman, How To Fight And Win The Cyberwar, WALL ST. J., Dec. 6,

2010, at XX. Law professor and blog pundit Glenn Reynolds had also previously reviewed

the book approvingly in the pages of the Wall Street Journal. Glenn Harlan Reynolds, Book

Review: Cyber War, WALL ST. J., Apr. 21, 2010, at XX. 96

Id. 97

Michiko Kakutani, The Attack Coming From Bytes, Not Bombs, N.Y. TIMES, Apr.

26, 2010, at C1. 98

Id.


reporting.99

Similar to Judith Miller‘s Iraq WMD articles, the only sources

for the article‘s claim that key infrastructure has been compromised are

anonymous U.S. intelligence officials.100

With little specificity about the

alleged infiltrations, readers are left with no way to verify the claims. The

article does cite a public pronouncement by senior CIA official Tom

Donahue that a cyber attack had caused a power blackout overseas.101

But

Donahue‘s pronouncement is what Clarke and Knake cite for their claim

that cyber attacks caused a blackout in Brazil, which we now know is

untrue.102

The author of the article, Siobhan Gorman, also contributed to another

front-page Wall Street Journalcybersecurity scoop reporting that spies had

infiltrated Pentagon computers and had stolen terabytes of data related to

the F-35 Joint Strike Fighter.103

The only sources for that report were

―current and former government officials familiar with the attacks.‖104

Later

reporting by the Associated Press, also citing anonymous officials, found

that no classified information was compromised in the breach.105

Unfortunately, without any official statement on the matter, the result of

these reports can well be to raise public alarm without offering a clear sense

of the scope or magnitude of the threat.

The now-debunked Brazil blackout was also the subject of a CBS 60

Minutesexposé on cyber war.106

For its claim that the blackouts were the

99

Siobhan Gorman, Electricity Grid in U.S. Penetrated By Spies, WALL ST. J., Apr. 8,

2010, at A1. At a July 2009 hearing, Rep. Yvette Clarke, chair of the Emerging Threats,

Cybersecurity, Science and Technology subcommittee, stated: ―If you believe intelligence

sources, our grid is already compromised. An April 2009 article in the Wall Street Journal

cited intelligence forces who claim that ‗the grid has already been penetrated by cyber

intruders from Russia and China, who are positioned to activate malicious code that could

destroy portions of the grid at their command.‘‖ Securing The Modern Electric Grid From

Physical And Cyber Attacks, Hearing before the Subcomittee on Emerging Threats,

Cybersecurity, and Science and Technology of the House Committee on Homeland

Security, July 21, 2009, available at

http://www.empactamerica.org/13%20Transcript%20of%20Homeland%20Security%20Su

bCom%20Hearing.pdf. 100

Id. 101

Id. 102

CLARKE &KNAKE, supra note 86; Marcelo Soares, supra note 87; Brian Krebs,

supra note 87. 103

Siobhan Gorman et al., Computer Spies Breach Fighter-Jet Project, WALL ST. J.,

Apr. 21, 2009, at A1. 104

Id. 105

Lolita C. Baldor, Cyber Hackers Breached Jet Fighter Program, Assoc. Press, Apr.

21, 2009, available at http://www.usnews.com/science/articles/2009/04/21/cyber-hackers-

breached-jet-fighter-program. 106

Steve Kroft, Cyber War: Sabotaging the System, CBS NEWS 60 MINUTES, Nov. 8,

2009, available at


result of cyber attacks, the newsmagazine cited only anonymous ―prominent

intelligence sources.‖107

The 60 Minutes report, however, did feature an

interview with former NSA chief, now Booz Allen Hamilton vice president,

Mike McConnell, who said a blackout was within reach of foreign hackers

and that the United States was not prepared for such an attack.108

In February of 2010, the Washington Post granted McConnell a rare

1,400 word essay in its Sunday opinion section in which he made the cyber

war case. He told readers, ―If an enemy disrupted our financial and

accounting transactions, our equities and bond markets or our retail

commerce—or created confusion about the legitimacy of those

transactions—chaos would result. Our power grids, air and ground

transportation, telecommunications, and water-filtration systems are in

jeopardy as well.‖109

While he did not provide any specific evidence to

corroborate this fear, McConnell did point to corporate espionage generally,

and specifically the then-recent incident in which Google‘s Gmail service

had been compromised—another instance of espionage attributed to

China—as evidence of a cyber threat.110

The result is more conflation of

possible cyber threats.

In July 2010, the cover of the Economist magazine featured a city

consumed by a pixelated mushroom cloud overlaid with the words,

―Cyberwar: The threat from the internet.‖111

The popular conception of

cyber threats fostered by the media, often relying on anonymous

government sources and the pronouncements of defense contractors and

consultants, can be said to be more alarming than the verifiable evidence

available would suggest. And as we will see, anonymously sourced threats

and expert assertions reported in the media are later cited by officials as

rationales for regulation.

4. Congress

Congress has also been quick to adopt the alarmist rhetoric of cyber

doom espoused by the proponents of government intervention.112

For

example, writing in the Wall Street Journal in support of their co-sponsored

http://www.cbsnews.com/stories/2009/11/06/60minutes/main5555565.shtml.

107Id.

108Id.

109 Mike McConnell, Mike McConnell on how to win the cyber-war we’re losing,

WASH. POST, Feb. 28, 2010, at B1. 110

Id. 111

THE ECONOMIST, July 1, 2010. 112

JaikumarVijayan, Senators ramp up cyberwar rhetoric,FOXBUSINESS.COM, Apr. 2,

2010, at http://www.foxbusiness.com/personal-finance/2010/04/02/senators-ramp-

cyberwar-rhetoric.


cybersecurity bill, Sens. Jay Rockefeller and Olympia Snowe warned

citizens about the potential of ―catastrophic economic loss and social

havoc‖ from cyber attack.113

However, they provided no specifics of the

threat and instead argued from authority that ―[a]s members of both the

Senate Commerce and Intelligence committees, we know our national

security and our economic security is at risk.‖114

Another argument from

authority is in the very first sentence of their op-ed, which quotes Mike

McConnell‘s oft-repeated warning, ―If the nation went to war today in a

cyberwar, we would lose.‖115

Members of Congress have used the same rhetoric at hearings on

cybersecurity. In one such hearing, Sen. Rockefeller stated,

It would be very easy to make train switches so that two trains collide, affect

or disrupt water and electricity, or release water from dams, where the

computers are involved. How our money moves, they could stop that. Any

part of the country, all of the country is vulnerable. How the Internet and

telephone communication systems work, attackers could handle that rather

easily.116

At another hearing, Sen. Rockefeller noted that ―a major cyber attack could

shut down our Nation‘s most critical infrastructure: our power grid,

telecommunications, financial services; you just think of it, and they can do

it.‖117

Sen. Snowe agreed, adding that ―if we fail to take swift action, we

risk a cybercalamity of epic proportions, with devastating implications for

our Nation.‖118

Other members of Congress have adopted similarly alarmist rhetoric.119

Speaking at a hearing, Senate Armed Services Committee Chairman Carl

113

Jay Rockefeller & Olympia Snowe,Now Is the Time to Prepare for

Cyberwar,WALL ST. J., Apr. 2, 2010, available at

http://online.wsj.com/article/SB10001424052702303960604575157703702712526.html. 114

Id. 115

Id. 116

Cybersecurity: Assessing Our Vulnerabilities and Developing an Effective

Response: Hearings Before Senate Comm. on Commerce, Science, and Transportation,

111th

Cong., (Mar. 19, 2009). 117

Cybersecurity: Next Steps to Protect Our Critical Infrastructure: Hearing Before

Senate Comm. On Commerce, Science, and Transportation, 111th Cong., (Feb 23, 2010)

[emphasis added]. 118

Id. pg 4. Sen. Snowe proceeds to list examples of cyberespionage and cybercrime,

but gives no examples of cybercalamity. 119

Administration officials have also joined in. CIA chief Leon Panetta told Congress

in February that ―the potential for the next Pearl Harbor could very well be a cyber attack.‖

Richard Serrano, LA TIMES, Feb. 11, 2011, available at

http://www.latimes.com/news/nationworld/nation/la-na-intel-hearing-

20110211,0,2209934.story.


Levin stated that ―cyber weapons and cyber attacks potentially can be

devastating, approaching weapons of mass destruction in their effects.‖120

Rep. Yvette Clarke, chairwoman of the House committee focused on

cybersecurity, has said, ―There is no more significant threat to our national

and economic security than that which we face in cyberspace.‖121

In each of these instances, members of Congress have not offered any

reviewable evidence to support their claims.

II. THE MILITARY-INDUSTRIAL COMPLEX,

THE COLD WAR, AND PARALLELS TO THE CYBER DEBATE

Threat inflation helped draw the United States into war in Iraq, and it

may be the case that a similar dynamic is taking shape in the cyber realm. If

not outright war, threat inflation related to cybersecurity may lead the

American people and their representatives to accept unjustified regulation

of the Internet and increased federal spending on cybersecurity. Since

WWII, a military-industrial complex has emerged that encourages

superfluous defense spending and, at times, placesspecial interestsbefore the

public interest. We may similarly be seeing the creation of a cyber-

industrial complex.

In his farewell address to the nation, President Dwight Eisenhower

warned against the dangers of unwarranted influence of a military-industrial

complex.122

This was a novel concern because the United States historically

resisted having a large military.123

In fact, rather than having peacetime

standing armies, the Founding Fathers preferred that the country assemble

troops only to fight wars and then draw down forces after conflicts.124

Only

after World War II did a giant military establishment persist.125

It was this

establishment that Eisenhower labeled the military-industrial complex,

describing it as the ―conjunction of an immense military establishment and

a large arms industry.‖126

Today, the complex seems to be evolving into a

120

Nominations of Vice Admiral James A. Winfield, Jr., and Lieutenant General Keith

B. Alexander Before the Senate Armed Services Committe, 111th

Congress, available

athttp://armed-services.senate.gov/Transcripts/2010/04%20April/10-32%20-%204-15-

10.pdf. 121

Reviewing the Federal Cybersecurity Mission Hearing Before the Subcomm. On

Emerging Threats, Cybersecurity, and Science and Technology of the House Comm. On

Homeland Security, 111th

Cong., at 2 (March 10, 2009). 122

President Dwight D. Eisenhower, Farewell Address, Jan. 17, 1961. 123

HOSSEIN-ZADEH, ISMAEL, THE POLITICAL ECONOMY OF US MILITARISM 11,(2006);

Eisenhower also noted the novelty of the military-industrial complex, calling it ―new in the

American experience,‖ Eisenhower, supra note 122. 124

Hossein-Zadeh, supra note 123 at 11. 125

Id. at 12 126

Eisenhower, supra note 122.


―military-cyber-intelligence mash-up‖ as defense contractors and the

military, intelligence, and civilian security agencies turn their attention to

cybersecurity.127

Eisenhower feared that a close relationship between government,

military, and industry would lead to an unnecessary expansion of military

forces, superfluous defense spending, and a breakdown of checks and

balances within the public policymaking process.128

He feared that the

influence of such an establishment would allow special interests to profit

under the guise of national security.129

A homogenous interest group—in this case, defense contractors—has a

vested interest in increasing spending or favorable regulation that will

transfer wealth from government to the group.130

Increased government

spending onan industry directly benefits producers in that industry, and

regulationthat favors an interest group can have a comparable effect.131

Special intereststherefore invest in rent-seeking capabilitiesthat

helpthem garnerwealth transfers from government, whether through

spending or legislation or regulation.132

Rent seeking, such as lobbying that

greases the rails of the political process, is socially wasteful and, perhaps

more importantly, can cause government to place interest groups‘ desires

before the public interest.133

When government grantsa wealth transfer to a concentrated interest

group—for instance, by appropriating spending to a particular industry or

compelling private companies to purchase certain products or services—the

cost is dispersed across millions of taxpayers. None of them individually

cares enough to oppose the wealth transfer, even though it may not serve

the public interest.134

In fact, the cost to each citizen is so small that hardly

any of them notice. Yet a small cost counted millions of times can be

127

Jim Wolf, Special report: The Pentagon’s new cyber warriors, REUTERS (Oct. 5,

2010, 11:44 AM), http://www.reuters.com/article/idUSTRE69433120101005. 128

James Fallows, The Dustbin of History: The Military-Industrial Complex, FOREIGN

POLICY, Nov.–Dec., 2002, at 46-47. 129

Id. 130

George Stigler, The Theory of Economic Regulation, BELL J. OF ECON. AND MGT.

SCI., (1971); Sam Peltzman, Toward a More General Theory of Regulation, J. OF LAW AND

ECON. (1976). For discussion on the interest group theory of government see Robert D.

sTollison, Rent Seeking, in PERSPECTIVES ON PUBLIC CHOICE: A HANDBOOK (Dennis C.

Mueller ed. 1997). 131

Id. 132

The seminal article on rent seeking is Gordon Tullock, The Welfare Costs of Tariffs,

Monopolies, and Theft, (1967). Also, see generally, TOWARD A THEORY OF THE RENT-

SEEKING SOCIETY, ed. Buchanan, Tollison, and Tullock (1980). 133

Id. 134

Peltzman, supra note 130. Also, see generally, MANCUR OLSON, THE LOGIC OF

COLLECTIVE ACTION: PUBLIC GOODS AND THE THEORY OF GROUPS (1965).


substantial.135

Furthermore, politicians trying to increase reelection prospects respond

logically to pleas from interest groups—they often assent to

them.136

Legislatorscan also increase goodwill back home by channeling

pork-barrel spending and jobs to their districts or states. Politicians

consequently fight to bringspending to constituentsand comply with interest

groups‘ requests, and they are often afforded political cover by claiming

their actions are in the interest of national security or the public good.These

dynamics can combine to influence government in ways that do not serve

the public interest.

When examining the military-industrial complex, it is apparent that the

various participants have shared interests. Military expansion and increased

defense spending help grow Pentagon budgets and provide steady revenues

to defense contractors.137

They also allow congressmen to win constituents‘

approval by sending appropriations and jobs back home.138

Eisenhower believed that such an alliance between industry and the

military could corrupt democratic decision-making, so he warned against its

unwarranted influence. During the bomber and missile gap episodes of his

presidency, he had seen firsthand the complex‘s propensity to trumpet and

inflate foreign threats, the needless military spending that resulted, and the

political clout and industry profits gained through the process.139

A decade after Eisenhower‘s address, one economist outlined the

dangers of the military-industrial complex:

[G]overnment not only permits and facilitates the entrenchment of private

power but serves as its fountainhead. . . . It buys at prices for which there is

little precedent and hardly any yardsticks. It deals with contractors, a large

percentage of whose business is locked into supplying defense, space, or

atomic energy needs. . . . [I]n an atmosphere shrouded by multilateral

uncertainty and constant warnings about imminent aggression. . . . Lacking

any viable institutional competition, the government becomes—in the

extreme—subservient to the private and special interests whose entrenched

power bears the government seal.140

Eisenhower‘s warning was prescient. The military-industrial complex

thrived throughout the Cold War, and today defense spending continues to

135

Id. 136

Peltzman, supra note 130. 137

Fallows, supra note 128. 138

Id. 139

Id. 140

Walter Adams, The Military-Industrial Complex and the New Industrial State, 58

THE AM. ECON. REV. 654-655 (1968).


grow to historically high levels.141

A. Cold War Military-Industrial Complex

The military-industrial complex that emerged after WWII, coupled with

inflated Soviet threats, produced unnecessary defense spending and

militarization. The bomber and missile gaps are classic examples.

During the 1956 elections, Democrats accused President Eisenhower of

allowing a bomber gap to emerge between the United States and the Soviet

Union.142

Eisenhower had cut funding for the Air Force‘s B-70 bomber,

which enraged many members of Congress who represented states or

districts home to aviation industries.143

In a history of the arms race, a former Pentagon research physicist144

notes how wide reaching the B-70 program was:

Before the first full year under [the B-70] contract was over, there were

more than forty first- and second-tier subcontractors, and approximately two

thousand vendors and suppliers were by then involved in the total program.

Seventy of the then ninety-six United States Senators had a major part of the

program in their states, and something like a majority of the Congressional

districts had at least one supplier of consequence.145

Soon after the funding was cut, House Armed Services Committee

Chairman Carl Vinson claimed, ―By cutting back the B-70 we have

increased the danger to our survival.‖146

Sen. Barry Goldwater, also an Air

Force Reserve Brigadier General, personally appealed to the president to

reconsider the cuts.147

Sen. Clair Engle of California, an officer in the Air

Force Reserve, said that curbing spending on the B-70 was a ―blunder

which may have the gravest consequences to our national security.‖148

In the days before the 1960 presidential election, the Eisenhower

141

ROBERT HIGGS, CRISIS AND LEVIATHAN: CRITICAL EPISODES IN THE GROWTH OF

AMERICAN GOVERNMENT 238 (1987); Hossein-Zadeh, supra note 123 at 14; Veronique de

Rugy, Cutting the Pentagon Budget: Reductions in military spending are both necessary

and possible, REASON MAGAZINE, July 2010. 142

William D. Hartung, Eisenhower’s Warning the Military-Industrial Complex Forty

Years Later, WORLD POLICY JOURNAL, April 1, 2001, at 39. 143

Jack Raymond, B-70 Stirs a Wide Ranging Controversy, N.Y. TIMES, Mar. 11,

1962, at E5. 144

William Grimes, Herbert York, 87, Top Nuclear Physicist Who Was Arms Control

Advocate, Dies,N.Y. TIMES, May 25, 2009, at A12. 145

HERBERT F. YORK, RACE TO OBLIVION: A PARTICIPANT‘S VIEW OF THE ARMS RACE

53 (1970). 146

Id. at 55. 147

Id. at 56. 148

Id.


Administration buckled and agreed to practically double the B-70 budget.149

The Los Angeles-based manufacturer of the jet lauded the increased

spending, as it would quell declining employment in southern California.150

But in 1959, the Air Force chief of staff had refuted the bomber gap

theory. He had told the Senate Foreign Relations Committee, ―Congress

was convinced that there was going to be a gap in bombers and instead we

are way ahead of them.‖151

But the chief‘s claim was ignored. Politicians

from both sides of the aisle continued to demand an increase in B-70

funding. The eventual increase channeled money and jobs to constituents—

contractors and vendors across the country and the aviation manufacturer in

southern California. Because of the exaggerated bomber gap, Congress

wasted billions of dollars commissioning superfluous bombers.152

Later, as a candidate in the 1960 presidential election, John F. Kennedy

accused Republicans of putting the United States at risk by allowing another

gap to emerge—the missile gap.153

Kennedy claimed, ―We are facing a gap

on which we are gambling with our survival.‖154

Sen. Stuart Symington, the

first secretary of the Air Force and a long-time advocate for military

spending, said, ―A very substantial missile gap does exist and the

Eisenhower Administration apparently is going to permit this gap to

increase.‖155

Both the Air Force and the Strategic Air Command—the military units

in charge of building and controlling long-range missiles—supported the

Senators‘ assertions.156

The units estimated that the Soviets had between

500 and 1,000 long-range missiles.157

If the Soviets really had significantly

more missiles than the United States, the Air Force had a strong argument

for diverting funds from the Army and Navy to itself to build more

missiles.158

The CIA, however, simultaneously estimated the number of

Soviet missiles to be 50.159

149

Id. 150

Id. 151

Lars-Erik Nelson, Military-Industrial Man, THE NEW YORK REVIEW OF BOOKS,

Dec. 21, 2000, at 6. 152

John Prados,Whose Soviet Threat?, N.Y. TIMES, June 7, 1982, at A19. 153

Hartung, supra note 142. 154

Defense: The Missile Gap Flap, TIME (Feb. 17, 1961)

http://www.time.com/time/magazine/article/0,9171,826840,00.html. 155

Id; For background on Symington‘s reputation re military spending, see Eric Pace,

Stuart Symington, 4-Term Senator Who Ran for President, Dies at 87, N.Y. TIMES, Dec.

15, 1988, at D26. 156

Fred Kaplan, The Rumsfeld Intelligence Agency, SLATE, Oct. 28, 2002, 5:42 PM,

http://www.slate.com/id/2073238/. 157

Id. 158

Id. 159

Id.


In his last speech before Congress, Eisenhower said, ―The bomber gap

of several years ago was always a fiction, and the missile gap shows every

sign of being the same.‖160

At the peak of the Cuban missile crisis, the

United States had 2,000 long-range missiles; the Soviets had fewer than

100.161

Shortly after Kennedy took office, Secretary of Defense Robert

McNamara said that ―[i]t took us about three weeks to determine, yes, there

was a gap. But the gap was in our favor. It was a totally erroneous charge

that Eisenhower had allowed the Soviets to develop a superior missile

force.‖162

B. Cyber-Industrial Complex

An industrial complex reminiscent of the Cold War‘s may be emerging

in cybersecurity today. Some serious threats may exist, but we have also

seen evidence of threat inflation. Alarm raised over potential cyber threats

has led to a cyber industry build-up and political competition over cyber

pork.

1. Build-up

In many cases, those now inflating the scope and probability of cyber

threats might well benefit from increased regulation and more government

spending on information security. Cybersecurity is a big and booming

industry.163

The U.S. government is expected to spend $10.5 billion per year

on information security by 2015, and analysts have estimated the worldwide

market to be as much as $140 billion per year.164

The Department of

Defense has also said it is seeking more than $3.2 billion in

cybersecurityfunding for 2012.165

160

TIME, supra note 154. 161

Missiles of October, Then and Now, N.Y. TIMES, Aug. 30, 1987, at E26. 162

Tim Weiner, Robert S. McNamara, Architect of a Futile War, Dies at 93,N.Y.

TIMES, July 7, 2009, at A1.In Cyber War, Clarke and Knake warn of a ―cyber war gap‖ that

exists between the United States and countries like Russia, China, Iran, and North Korea.

Clarke and Knake, supra note 55 at 149. The authors claim that the United States‘ weak

cyber defense capabilities and heavy dependence on online systems foster the gap. We

should, however, keep our ―gaps‖ history in mind when evaluating the authors‘ assertion. 163

Marjorie Censer and Tom Temin, The cybersecurity boom, WA. POST,May 10,

2010, http://www.washingtonpost.com/wp-

dyn/content/article/2010/05/07/AR2010050704503.html. 164

U.S. cybersecurity spending to rise, HOMELAND SECURITY NEWSWIRE,Mar. 31,

2010, http://homelandsecuritynewswire.com/us-cybersecurity-spending-rise; Jim Wolf,

Pentagon seeks tight ties with cyber contractors, Oct. 21, 2010, 7:20 AM,

http://www.reuters.com/article/idUSTRE69J4OW20101021. 165

Cyber Spending at Defense, NextGov.com, Mar. 29, 2011,


In recent years, in addition to traditional information security providers

like MacAfee, Symantec, and Checkpoint, defense contractors and

consulting firms have recognized lucrative opportunities in cybersecurity.166

To weather probable cuts on traditional defense spending, and to take

advantage of the growing market, these firms have positioned themselves to

compete with information security firms for government contracts.167

Lockheed Martin, Boeing, L-3 Communications, SAIC, and BAE Systems

have all launched cybersecurity business divisions in recent years.168

Other traditional defense contractors, like Northrop Grumman,

Raytheon, and ManTech International, have also invested in information

security products and services.169

Such investments appear to have

positioned defense firms well. In 2009, the top 10 information technology

federal contractors included Lockheed Martin, Boeing, Northrop Grumman,

General Dynamics, Raytheon, SAIC, L-3 Communications, and Booz Allen

Hamilton.170

Traditional IT firms also see more opportunities to profit from

cybersecurity business in both the public and private sectors.171

Earlier this

year, a software security company executive noted ―a very large rise in

interest in spending on computer security by the government.‖172

And as

one IT market analyst put it: ―It‘s a cyber war and we‘re fighting it. In order

to fight it, you need to spend more money, and some of the core

beneficiaries of that trend will be the security software companies.‖173

Some companies from diverse industries have also combined forces in

the cybersecurity buildup. In 2009, a combination of defense, security, and

tech companies, including Lockheed, McAfee, Symantec, Cisco, Dell,

Hewlett-Packard, Intel, Juniper Networks, and Microsoft, formed a

athttp://www.nextgov.com/nextgov/ng_20110329_1325.php.

166GopalRatnam, Lockheed, Boeing Tap $11 Billion Cybersecurity Market (Update2),

BLOOMBERG,Dec. 30, 2008, 4:18 PM,

http://www.bloomberg.com/apps/news?pid=newsarchive&sid=an2_Z6u1JPGw; Aaron

Ricdela, Symantec, McAfee, Checkpoint Await Spending Surge, BLOOMBERG

BUSINESSWEEK, Jan. 18, 2010, 10:19 PM,

http://www.businessweek.com/print/technology/content/jan2010/tc20100115_453540.htm;

The cybersecurity boom, supra note 163. 167

August Cole and Siobhan Gorman, Defense Firms Pursue Cyber-Security Work,

THE WALL STREET JOURNAL, Mar. 18, 2009,at A4; Ratnam, supra note 166. 168

Ratnam, supra note 166; Censer and Temin, supra note 163. 169

Wolf, supra note 164. 170

Tom Barry, Synergy in Security: The Rise of the National Security Complex,

DOLLARS & SENSE (Mar./Apr. 2010),

http://www.dollarsandsense.org/archives/2010/0310barry.html. 171

Ricdela, supra note 166. 172

Id. 173

Id.


cybersecurity technology alliance to study threats and innovate solutions.174

IT lobbyists, too, have looked forward to cybersecurity budget

increases, to the dismay of at least one executive at a small tech firm, who

claimed, ―Money gets spent on the vendors who spend millions lobbying

Congress.‖175

There are serious real online threats, and security firms, government

agencies, the military, and private companies clearly must invest to protect

against such threats. But as with the Cold War bomber and missile gap

frenzies, we must be wary of parties with vested interests exaggerating

threats, leading to unjustified and superfluous defense spending in the name

of national security.

2. Cyber Pork

Private firms are not the only ones to have noticed increased

cybersecurity spending. Politicians and government officials have also

taken notice and likely see it as an opportunity to bring federal dollars to

their states and districts.

In spring of 2010, the Air Force officially established Cyber Command,

a new unit in charge of the military‘s offensive and defensive cyber

capabilities.176

Cyber Command allows the military to protect its critical

networks and coordinate its cyber capabilities, an important function.177

But

the pork feeding frenzy that Cyber Command precipitated offers a useful

example of what could happen if legislators or regulators call for similar

buildup related to private networks.

Beginning in early 2008, towns across the country sought to lure the

permanent headquarters of Cyber Command.178

In recent years, the Air

174

Dan Lohrmann, New Cybersecurity Technology Alliance Points the Way,

GOVERNTMENT TECHNOLOGY BLOGS (Nov. 13, 2009, 3:46 AM)

http://www.govtechblogs.com/lohrmann_on_infrastructure/2009/11/new-cyber-security-

technology.php. 175

Kate Gerwig, Cyber-security policy locks down lobbyist job security, IT

KNOWLEDGE EXCHANGE, Jan. 26, 2009, 2:15 AM,

http://itknowledgeexchange.techtarget.com/telecom-timeout-blog/cyber-security-policy-

boon-to-lobbyist-job-security/; John Leyden, US and UK gov cyber defences = big boys’

trough-slurp, THE REGISTER,Oct. 22, 2010, 2:15 PM,

http://www.theregister.co.uk/2010/10/22/firewall_guru_interview/. 176

Ellen Nakashima, Gen. Keith Alexander confirmed to head cyber-command, WA.

POST, May 11, 2010, at A13. 177

GauthamNagesh, Gates officially establishes U.S. Cyber Command, THE HILL,May

24, 2010, 11:43 AM, http://thehill.com/blogs/hillicon-valley/technology/99481-gates-

officially-establishes-us-cyber-command. 178

Marty Graham, Welcome to Cyberwar Country, USA, WIRED, Feb. 11, 2008,

http://www.wired.com/politics/security/news/2008/02/cyber_command.


Force had significantly trimmed its active duty force, and the branch is still

trying to reduce its numbers to reflect a Congressional mandate.179

Amid

such cuts, and with calls to cut traditional defense spending, the military has

looked to cyberspace as a new spending front.180

It was estimated that

Cyber Command headquarters would bring at least 10,000 direct and

ancillary jobs, billions of dollars in contracts, and millions in local

spending.181

Politicians naturally saw the Command as an opportunity to boost local

economies. Governors pitched their respective states to the secretary of the

Air Force, a dozen congressional delegations lobbied for the Command, and

Louisiana Governor Bobby Jindal even lobbied President Bush during a

meeting on Hurricane Katrina recovery.182

Eventually communities in 18

states were vying for the Command,183

many offering gifts of land,

infrastructure, and tax breaks.184

The city of Bossier, Louisiana, proposed a $100 million ―Cyber

Innovation Center‖ office complex next to Barksdale AFB in hopes of

luring Cyber Command there.185

It began by building an $11 million bomb-

resistant ―cyber fortress‖ complete with a moat.186

In Yuba City, California,

community leaders gathered 53 signatures from the state‘s congressional

delegation and preached the merits of nearby Silicon Valley in their effort

to lure the Command.187

Colorado Springs touted the hardened location of

Cheyenne Mountain, NORAD headquarters.188

In Nebraska, the Omaha Development Foundation purchased 136 acres

of land just south of Offutt Air Force Base and offered it as a site for the

Command.189

The president of a local chamber of commerce said, ―It‘s all

political, where they decide to put it. We‘re clearly the best situated and

179

Bruce Rolfsen, Drawdown: Force to be cut by 6,000 airmen, AIR FORCE TIMES,

Apr. 12, 2010, 8:58 AM,

http://www.airforcetimes.com/news/2010/04/airforce_drawdown_041210w/. 180

Graham, supra note 178; The defence industry, War on new fronts: Different tactics

are needed to profit from a slowdown in defence spending, THE ECONOMIST, Nov. 4, 2010,

http://www.economist.com/node/17420367; Ratnam, supra note 166. 181

Graham, supra note 178. 182

Id. 183

Erik Holmes, 18 States vie for Cyber Command headquarters, AIR FORCE TIMES,

Mar. 9, 2008, 2:36 PM,

http://www.airforcetimes.com/news/2008/03/airforce_cyber_command_030908/ 184

Graham, supra note178. 185

Id. 186

Id. 187

Id. 188

Id. 189

Id.


equipped. But that doesn‘t mean we‘ll get it.‖190

The Air Force ultimately established Cyber Command headquarters at

Fort Meade, Maryland, integrated with the NSA headquarters.191

Maryland

politicians who had touted the cyber threat and sought the Command

welcomed this. Sen. Barbara Mikulski had previously proclaimed, ―We are

at war, we are being attacked, and we are being hacked.‖192

Governor

Martin O‘Malley has noted, ―We not only think that Maryland can be the

national epicenter for cybersecurity; the fact of the matter is, our state

already is the epicenter for our country.‖193

After the announcement that Cyber Command would be established at

Fort Meade, O‘Malley praised the decision as one that would bolster

national security and provide ―endless economic opportunity and job

creation.‖194

His press statement estimated the Command would bring more

than 21,000 military and civilian jobs to the area.195

Local defense

contractors and tech firms also relished the announcement and the $15 to

$30 billion in expected spending it would bring over the next five years.196

Other recent examples highlight what could be a trend toward more

cyber pork. In January 2011, the NSA and Army Corps of Engineers broke

ground on a $1.2 billion dollar data center outside of Salt Lake City for

which Sen. Orrin Hatch lobbied.197

The same month, DHS announced that it

would invest $16 million to test security solutions at the University of

Southern California.198

Proposed cybersecurity legislation also presents opportunities for

congressional pork barrel spending. For example, the Cybersecurity Act of

2010 proposed by Senators Jay Rockefeller and Olympia Snowe called for

190

Id. 191

Nagesh, supra note 177; Nakashima, supra note 176. 192

Gus Sentementes, O’Malley to promote Md. As U.S. cybersecurity hub, THE

BALTIMORE SUN, Jan. 12, 2010, at 10A. 193

Id. 194

Statement from Governor Martin O‘Malley on Establishment of Cyber Command

in Maryland, OFFICE OF GOVERNOR MARTIN O‘MALLEY,May 21,

2010,)http://www.governor.maryland.gov/pressreleases/100521e.asp. 195

Id. 196

Daniel Sernovitz, Tech firms flock to Fort Meade for cyber warfare work,

BALTIMORE BUSINESS JOURNAL, July 12, 2010, 12:00 AM, available at

http://www.bizjournals.com/baltimore/stories/2010/07/12/story12.html; Sonny Goldreich,

Commercial Real Estate: Cyber Command to bring jobs to Fort Meade, GAZETTE.NET,May

28, 2010, available athttp://www.gazette.net/stories/05282010/businew174314_32560.php. 197

Pam Benson, Utah will be site of huge cyber protection facility, CNN, Jan. 12,

2011, at http://articles.cnn.com/2011-01-12/politics/cyber.defense.center_1_cyber-security-

homeland-security-utah. 198

DHS invests $16M in cybersecuritytestbed, SECURITYINFOWATCH, Jan. 17, 2011,

10:43 AM, at http://www.securityinfowatch.com/node/1319202.

http://www.google.com/url?q=http%3A%2F%2Fwww.gazette.net%2Fstories%2F05282010%2Fbusinew174314_32560.php&sa=D&sntz=1&usg=AFQjCNG7sp7MBuWWehz55ZkgK_EES35omQ



















the creation of regional cybersecurity centers across the country, a cyber

scholarship-for-service program, and myriad cybersecurity research and

development grants.199

The military-industrial complex was born out of exaggerated Soviet

threats, a defense industry closely allied with the military and Department

of Defense, and politicians striving to bring pork and jobs home to

constituents. A similar cyber-industrial complex may be emerging today,

and its players call for government involvement that may be superfluous

and definitely allows for rent seeking and pork barreling.

III. POLICY IMPLICATIONS

So far we have seen the potential of threat inflation in the cybersecurity

arena, and how it may result in a new cyber-industrial complex. In this final

Part we will examine the proposals made by advocates of federal

intervention and the rationales presented for those proposals. We will also

suggest a simple framework for determining whether government

intervention is indeed necessary.

A. Proposals and Rationales

Calls for federal involvement in Internet security run the gamut from

simple requests for more research funding to serious interventions in the

business practices of infrastructure providers. However, they often do not

consider the costs or consequences associated with such interventions.

At one end of the spectrum we have seen calls to scrap the Internet as

we know it. For example, Mike McConnell has suggested that ―we need to

reengineer the Internet to make attribution, geolocation, intelligence

analysis and impact assessment—who did it, from where, why and what

was the result—more manageable.‖200

Richard Clarke has recommended the

same: ―Instead of spending money on security solutions, maybe we need to

seriously think of redesigning network architecture, giving money for

research into the next protocols, maybe even think about another, more

secure Internet.‖201

A ―reengineered,‖ more secure Internet is likely a very different Internet

than the open and innovative network we know today. It might be an

Internet on which information flows are much more easily controlled by

government, and in which anonymity is impossible, posing a threat to free

199

Cybersecurity Act of 2009, S. 773, § 5(a), § 12(a), § 11(e) (2009). 200

McConnell, supra note 109. 201

ITWEB, Focus on cyber war defence: Expert, DEFENCEWEB, Oct. 14, 2010,

athttp://www.defenceweb.co.za/index.php?option=com_content&view=article&id=10037.


speech.202

This is so because the ability to attribute malicious behavior to

individuals would require that individuals identify themselves when logging

on.203

A capability to track and attribute malicious activities could just as

easily be employed to track and control any other type of activity.

We have also seen proposals to require tier 1 Internet service providers

to engage in deep packet inspection of Internet traffic in order to filter out

malicious data.204

The federal government already engages in deep packet

inspection on its own networks through the Department of Homeland

Security‘s ―EINSTEIN‖ program.205

The idea would be to require the same

type of monitoring from the Internet‘s private backbone operators.206

Such

approaches likely threaten user privacy. Deep packet inspection is

essentially eavesdropping, and the same way it can be used to identify

malicious data, it can be used to identify other classes of communication.

There have also been proposals at the FCC and in Congress for the

certification or licensing of network security professionals, as well as calls

for mandated security standards. For example, the Rockefeller-Snowe bill

would require the Department of Commerce to develop ―a national

licensing, certification, and periodic recertification program for

cybersecurity professionals,‖ and would make certification mandatory for

anyone engaged in cybersecurity.207

While certification may seem harmless,

occupational licensing mandates should never be taken lightly. They have

the potential to restrict entry, reduce competition, and hamper innovation.208

202

See Marjory S. Blumenthal & David D. Clark, Rethinking the Design of the Internet:

The End-to-End Arguments vs. the Brave New World, 1 ACM TRANSACTIONS ON INTERNET

TECH. 70, 76 (2001). See also, Testimony of Marc Rotenberg,Planning for the Future of

Cyber Attack Attribution: Hearing Before Subcomm. On Technology and Innovation of the

Comm. On Science and Technology, 111th

Cong., July 15, 2010, available at

http://epic.org/privacy/cybersecurity/EPIC_HouseSci_Testimony_2010-07-15.pdf. 203

The White House, Cyberspace Policy Review, May 2009, available at

http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf

(noting that ―We cannot improve cybersecurity without improving authentication, and

identity management is not just about authenticating people. Authentication mechanisms

also can help ensure that online transactions only involve trustworthy data, hardware, and

software for networks and devices.‖). Another concern is that authentication will fail to

prevent malicious activities because criminals will simply hijack legitimate identities

before committing crimes and attacks. 204

CLARKE &KNAKE, supra note 57, at 162-64. 205

The Comprehensive National Cybersecurity Initiative at 3. 206

CLARKE &KNAKE, supra note 57, at 120& 273-275. Columbia computer science

professor and security expert Steven Bellovin has critiqued Clarke and Knake‘s deep

packet inspection suggestion, explaining that it may not even be technically possible.

Steven Bellowin, Clarke and Knake’s “Cyberwar,” CircleID, Jul. 14, 2010, at

http://www.circleid.com/posts/print/clarke_and_knakes_cyberwar. 207

Cybersecurity Act of 2009, S. 773, § 7(a) & (b) (2009). 208

See generallyMORRIS M. KLEINER, LICENSING OCCUPATIONS: ENSURING QUALITY


Finally, there have been calls for subsidies—including the creation of

regional cybersecurity centers across the country to help medium-sized

businesses protect their networks—as well as calls for more federal dollars

for education and research and development.209

Given the sweeping nature of these proposals, one would imagine that

their proponents carefully justify them. Unfortunately, the rationales offered

are generally mere assertions employing the rhetoric of threat inflation. At a

general level, there is a tendency by cybersecurity experts to report that

markets are incapable of providing adequate security without providing any

evidence for the claim. More specifically, Congressional sponsors of

legislation simply cite the testimony of consultants and anonymously

sourced press reports to justify their bills.

For example, the CSIS Commission Report is very clear that what it

seeks is the regulation of cyberspace. It argues that market forces ―will

never provide the level of security necessary to achieve national security

objectives,‖210

yet it does not provide any empirical evidence for this

assertion. Instead the Commission simply makes the argument that national

defense is a public good, and points out that private firms ―have little

incentive to spend on national defense as they bear all of the cost but do not

reap all of the return.‖211

Of course, a firm need not ―reap all of the return‖ in order to have an

incentive to spend on security. As long as they are able to internalize

enough of the return to justify their expenditure, they may do so even if in

the process they produce a positive externality that they cannot capture.212

Therefore, whether there is market failure or not is an empirical question

and, as we will see below, one that is part of a proper regulatory analysis.

Unfortunately the CSIS Commission report does not engage in such an

analysis.

Mike McConnell has argued that regulation is justified simply because

cybersecurity is a significant issue. Testifying before Congress, he stated

that ―cyber has become so important to the lives of our citizens and the

functioning of our economy that gone are the days when Silicon Valley

could say ‗hands off‘ to a Government role.‖213

He provided no further

analysis for this claim.

Clarke and Knake, for their part, seem to suggest that regulations need

OR RESTRICTING COMPETITION? (2006).

209 Commission Report at 74; S. 773 at § 11(e).

210Commission Report at 50. See also id. at 2, 10, & 49.

211Commission Report at 50.

212Mancur Olson, THE LOGIC OF COLLECTIVE ACTION 49-51.

213Cybersecurity: Next Steps to Protect Our Critical Infrastructure, Hearing before the

Senate Committee On Commerce, Science, And Transportation, Feb. 22, 201, available at

http://www.fas.org/irp/congress/2010_hr/cybersec.pdf.


not be justified at all. They criticize the cybersecurity initiatives of the

Clinton, Bush, and Obama Administrations for ―eschewing regulation.‖214

For example, Clarke bemoans that a Presidential Decision Document

outlining the Clinton Administration‘s cybersecurity policy, which he

helped draft, ultimately included a statement indicating that the first choice

to address cybersecurity concerns should be ―incentives that the market

provides‖ and that ―regulation will be used only in the face of a material

failure of the market.‖215

It is interesting to note, however, that the experts understand the

limitations of their positions. Clarke and Knake admit that the types of

regulations that they propose make it easier for government to violate the

privacy of citizens, and they point out recent episodes of just such abuse,

including the alleged illegal NSA wiretapping during the Bush

Administration.216

They nevertheless conclude, ―There may be times,

however, as in the case of cyber war, when we should examine whether

effective safeguards can be put in place so that we can start new programs

that entail some risk.‖217

Similarly, both Clarke and Knake and the CSIS Commission Report

admit that regulatory solutions tend to be inflexible, slow to change, and

have the potential to stifle innovation.218

However, both also make the case

that the type of regulation they have in mind would be immune to the

political realities that have traditionally made regulation of such a fast-

moving sphere ineffective.219

To justify their particular bills, members of Congress do not generally

engage in much analysis, and simply tend to cite press reports and the

assertions of experts. For example, the Rockefeller-Snowe bill includes a

findings section outlining the reasons why government intervention in

cybersecurity is ostensibly necessary.220

In it they cite Mike McConnell‘s

warning that had the 9/11 terrorists chosen laptops rather than airplanes, the

economic fallout of the attacks would have been orders of magnitude

greater, as well as the CSIS Commission Report, and Paul Kurtz, Richard

Clarke‘s security consulting partner.221

214

CLARKE &KNAKE, supra note 57, at 108-109 (critiquing Clinton), 113 (critiquing

Bush), 116-118 (critiquing Obama). 215

Id. at108.See also, The Clinton Administration‘s Policy on Critical Infrastructure

Protection: Presidential Decision Directive 63, May 1998, available

athttp://clinton4.nara.gov/WH/EOP/NSC/html/documents/NSCDoc3.html. 216


Id. at 134-35. 218

Commission Report at 51; CLARKE &KNAKE, supra note 57, at 133-34. 219

Commission Report at 51-53; CLARKE&KNAKE, supra note 57, at 134. 220

Cybersecurity Act of 2009, S. 773, § 2 (2009). 221

Cybersecurity Act of 2009, S. 773, § 2(10) (2009). But see Sean Lawson, Beyond


Introducing on the Senate floor the comprehensive cybersecurity bill

that she co-authored with Sen. Joe Lieberman, Sen. Susan Collins sought to

make the case for federal intervention by providing a list of ―disturbing‖

recent cyber attacks.222

She began with two familiar examples:

Press reports a year ago stated that China and Russia had penetrated the

computer systems of America‘s electrical grid. The hackers allegedly left

behind malicious hidden software that could be activated later to disrupt the

grid during a war or other national crisis.

At about the same time, we learned that, beginning in 2007 and

continuing well into 2008, hackers repeatedly broke into the computer systems

of the Pentagon‘s $300-billion Joint Strike Fighter project. They stole crucial

information about the Defense Department‘s costliest weapons program

ever.223

Sen. Collins was not providing any verifiable evidence of a threat, but was

instead simply quoting the front-page Wall Street Journal stories that we

have seen relied exclusively on information from anonymous government

officials.224

Rep. Yvette Clarke has also cited the Wall Street Journal‘s

reporting about the electrical grid during a hearing in support of

legislation.225

The fact that members of Congress are citing anonymously

sourced press accounts of a government leak, rather than hard evidence, as a

rationale for legislation is disheartening. It is also reminiscent of Vice

President Cheney citing Judith Miller and Michael Gordon‘s New York

Times reporting as evidence of an Iraqi nuclear threat.

B. Conducting a Proper Analysis

Perhaps the most frustrating aspect of the calls for cybersecurity

regulations is that they have not been accompanied by economic analysis to

determine their need or effectiveness. This final section, therefore, seeks to

offer a simple framework for assessing whether in fact federal intervention

in cybersecurity is warranted. Let us be very clear: although we are

Cyber-Doom: Cyberattack Scenarios and the Evidence of History, Mercatus Center

Working Paper No. 11-01, January 2011, at 6-7 & 20-22 (arguing that comparisons of

cyber threats to 9/11 are not apt and that the U.S. proved resilient to those attacks and

would likely be resilient to a large cyber attack). 222

156 Cong. Rec. S4852-S4855 (daily ed. June 10, 2010) (statement of Sens.

Lieberman & Collins). 223

Id. at S4853. 224

See supra notes 99-101 and accompanying text. 225

Reviewing the Federal Cybersecurity Mission Hearing Before the Subcomm. On

Emerging Threats, Cybersecurity, and Science and Technology of the House Comm. On

Homeland Security, 111th

Cong., at 2 (March 10, 2009).


skeptical of the scope of the threat as presented by the proponents of

regulation, we do not doubt that cyber threats do exist, nor would we

suggest that regulation can never be appropriate. What we do propose is that

before we rush to regulate cyberspace we should first demand verifiable

evidence of the threat and its scope and, second, we should use any such

evidence to conduct a proper analysis to determine whether regulation is

necessary and if it will do more good than harm.

Regulatory analysis is the generally accepted toolkit used to evaluate

proposed government interventions in the market.226

The Office of

Management and Budget has set forth the key elements of regulatory

analysis in its Circular A-4, which guides all executive agency

rulemaking.227

The steps to a proper analysis include:

Determining the need for regulation in terms of market failure or

other systemic problem228

Considering alternatives to federal regulation and alternative

forms of regulation229

Determining the costs and benefits of proposed regulations230

We do not attempt to conduct an analysis of any proposed regulations

here. Instead we simply use the framework to evaluate the evidence as it

stands now and suggest that a similar analysis be conducted before

cybersecurity regulation or legislation is adopted.

The first step of any analysis is to clearly state the problem one is trying

to solve.231

It seems obvious, but without a clear sense of the problem, and

one‘s desired outcome, one cannot properly assess the problem or possible

solutions.

One view of the cybersecurity problem is cyber war. That is, the threat

that foreign states or organizations could employ cyber attacks to strike at

our critical infrastructure.What evidence do we have to corroborate these

massive threats? Mike McConnell has cited the hacking of Google‘s Gmail

226

See Jerry Ellig& Jerry Brito, Toward a More Perfect Union: Regulatory Analysis

and Performance Management, 8 FLA. ST. BUS. L. REV. 1 (2009). 227

OFFICE OF MANAGEMENT AND BUDGET, Circular A-4: Regulatory Analysis (Sept.

17, 2003), available at http://www.whitehouse.gov/omb/circulars_a004_a-4 [hereinafter

Circular A-4]. President Obama recently endorsed Circular A-4s and its decision making

process in his executive order on regulatory review. Exec. Order No. 13563 of Jan. 18,

2011, available at http://www.whitehouse.gov/the-press-office/2011/01/18/improving-

regulation-and-regulatory-review-executive-order. 228

Circular A-4 at 3-4. 229

Id. at 6-7. 230

Id. at 9-11. 231

Ellig&Brito, supra note 226, at 29.


service—a case of espionage that has been attributed to China—as well as

other instances of espionage and IP theft.232

Similarly, the only verifiable

evidence that Clarke and Knake present is of denial of service attacks or

cyber espionage. They also cite anonymous sources suggesting that the

power grid has been compromised and is riddled with ―logic bombs.‖233

Two things stand out here. First, as we have seen, there is lack of

verifiable evidence of a cyber war threat. The implication is that the hard

evidence is classified and the public is not privy to it. However, before the

American people can be expected to support far-reaching regulation, we

must have some evidence of the threat and its probability. Fear is not a basis

for policy making. If this means declassifying embarrassing information to

some extent, it might be necessary.234

It is the only way we can be sure that

we are not simply seeing threat inflation at work.

The CSIS Report and Clarke and Knake all bemoan the

overclassification of information related to cyber threats.235

Former NSA

and CIA chief Gen. Michael Hayden gets to the core of the issue writing in

Strategic Studies Quarterly:

Let me be clear: This stuff is overprotected. It is far easier to learn about

physical threats from US government agencies than to learn about cyber

threats. . . . [I]f we want to shift the popular culture, we need a broader flow of

information to corporations and individuals to educate them on the threat. To

do that we need to recalibrate what is truly secret. Our most pressing need is

clear policy, formed by shared consensus, shaped by informed discussion, and

createdby a common body of knowledge. With no common knowledge, no

meaningful discussion, and no consensus . . . the policy vacuum continues.

This will not be easy, and in the wake of WikiLeaks it will require courage;

but, it is essential and should itself be the subject of intense discussion.236

Second, there is the danger of conflating threats. Physical threats to

critical infrastructure, cyber espionage, and denial of service attacks are all

232

McConnell, supra note 109. 233

CLARKE &KNAKE, supra note 57, at 54, 59, & 62. 234

As President Obama has stated, ―The Government should not keep information

confidential merely because public officials might be embarrassed by disclosure, because

errors and failures might be revealed, or because of speculative or abstract fears.

Nondisclosure should never be based on an effort to protect the personal interests of

Government officials at the expense of those they are supposed to serve.‖ Memorandum

from President Obama to the Heads of Executive Departments and Agencies regarding the

Freedom of Information Act (Jan. 21, 2009), available at

http://www.fas.org/sgp/obama/foia012109.html. 235

Commission Report at 27-28; CLARKE &KNAKE, supra note 57, at 262. 236

Michael V. Hayden, The Future of Things “Cyber”, 5 STRATEGIC STUD. Q. 3, 5

(2011), available at http://www.au.af.mil/au/ssq/2011/spring/hayden.pdf.


different beasts.237

Evidence for each of them is no more interchangeable

than evidence of a chemical or biological weapons capability is evidence of

a nuclear capability.

As the CSIS Commission report has pointed out, the real threat of cyber

attack is not a physical threat, but an informational one.238

So let us set

aside the more alarmist visions of cyber war and focus on the cybersecurity

problems for which there is evidence: cyber espionage and denial of service

attacks. The policy question being asked is whether private businesses,

when left to their own devices, provide enough cybersecurity to address

these problems, or if some government involvement is justified.239

The next step in regulatory analysis is to determine whether there is a

market failure or some other systemic problem.

Let us first look at cyber espionage. The CSIS Commission, Clarke,

McConnell, and others identify a massive loss of intellectual property from

American companies as a major component of the national security threat

that they see.240

To the extent that this is the case, it would seem that private

industry should have the best incentive to protect itself from that threat.241

After all, they internalize the cost of IP theft and loss of reputation. It is

therefore difficult to see the market failure here, but it is an empirical

question and the burden of proof is on those who favor regulation to provide

evidence to the contrary.

Next, let us turn to denial of service attacks and other threats that stem

from compromised computers. Here we can put forth an arguable case that

there can be a market failure.Because computers can be part of a botnet

without the user‘s knowledge, the user does not always internalize the harm

237

James Lewis, Thresholds for Cyberwarfare, IEEE SECURITY AND PRIVACY, Feb.

17, 2011, available at http://doi.ieeecomputersociety.org/10.1109/MSP.2011.25. 238

Commission Report at 12. 239

Benjamin Powell, Is Cybersecurity a Public Good? Evidence from the Financial

Services Industry, Independent Institute Working Paper No. 57, March 14, 2005, at 1,

available athttp://www.independent.org/pdf/working_papers/57_cyber.pdf. 240

Commission Report at 11; CLARKE &KNAKE, supra note 57, at 126; S.773 at § 2. 241

Wolf, supra note 127 (―Greg Neichin of San Francisco-based Cleantech Group

LLC, a research firm, says utility companies already are well aware of the need to guard

their infrastructure, which can represent billions of dollars of investment. ‗Private industry

is throwing huge sums at this already,‘ he says. ‗What is the gain from government

involvement?‘‖); Doug Raymond, head of monetization at Google Asia-Pacific, notes,

―Companies like Google are the ones who are hurt the most when our users' trust is put in

question or material of economic value is stolen. . . . [technology] has been so rapidly

changing that, in my observation, the best people to stay ahead of the curve and come up

with solutions are those who are on the ground managing those products day to day.‖ The

Center for National Policy, transcript of event ―The Private Sector‘s Role in Cyber

Security,‖ Apr. 14, 2010, available

athttp://www.centerfornationalpolicy.org/ht/a/GetDocumentAction/i/18044.


from poor security, while imposing a negative externality on others.242

But

before we conclude that there is a market failure, and that regulation is the

only answer, we should look at the issue more closely.

First, it is not true that a user will not internalize any of the cost of an

infected computer.243

In reality, good security practices create both public

and private benefits.244

While a user may not have an incentive to protect

others, he should be concerned about viruses, spyware, and other threats to

the integrity of his own data. As a result, the relevant policy question is, are

the private benefits sufficient to cause firms and consumers to provide

enough security.245

As mentioned above, the CSIS Commission feels it knows the answer to

this question: ―Anappropriate level of cybersecurity cannot be achieved

without regulation, as market forces alone will never provide the level of

security necessary to achieve national security objectives.‖246

Again, the

burden is on proponents of regulation to explain how they determine what is

the appropriate level of cybersecurity, and how they determine that the

private sector is under-providing it. Those are empirical questions that, as

we have seen, have so far only been answered with assertions.

Finally, it should be pointed out that even if one were to determine that

cybersecurity is under-provided by the private sector, one would then have

to proceed to the next questions in an economic analysis: consider different

alternatives to regulation, as well as alternative forms of regulation, and

determine whether the benefits of the chosen alternative outweigh its costs.

Indeed, although cyber-doom scenarios are often presented as existential

threats to our fragile interconnected society, the evidence from history—

from WWII to 9/11 to Katrina—is that people and institutions are incredibly

resilient and would likely bounce back from any probable cyber attack.247

242

vanEeten& Bauer, supra note 65. 243

Powell, supra note 239, at 4. 244

Id. 245

Id. Some initial evidence may suggest that ISPs are indeed taking steps to grapple

with the malware and botnet problems. For example, Comcast has begun warning

customers that their computers are likely compromised. Brian Krebs, Comcast Pushes Bot

Alert Program Nationwide, KREBS ON SECURITY, Oct. 4, 2010,

athttp://krebsonsecurity.com/2010/10/comcast-pushes-bot-alert-program-nationwide. Also,

a private cyber insurance market seems to be forming. See Jay P. Kesan et al., The

Economic Case for Cyberinsurance, University of Illinois College of Law Law and

Economics Working Paper No. 2004-2, available at

http://www.heartland.org/custom/semod_policybot/pdf/28828.pdf; Internet Security

Alliance, White Paper: Cyber-Insurance Metrics and Impact on Cyber-Security, available

at http://www.whitehouse.gov/files/documents/cyber/ISA%20-%20Cyber-

Insurance%20Metrics%20and%20Impact%20on%20Cyber-Security.pdf. 246

Commission Report at 50 (emphasis added). 247

SeeSean Lawson, Beyond Cyber-Doom: Cyberattack Scenarios and the Evidence of


As Aaron Wildavsky puts it when addressing how best to respond to

dangers that cannot be understood in advance: ―My vote goes to the

resilience that comes from passing many trials and learning from errors so

that the defects of society‘s limited imagination are made up by larger

amounts of global resources that can be converted into meeting the dangers

that its members never thought would arise.‖248

Both Mr. Clarke and the CSIS Commission explain that command and

control regulation has failed in past, and that government has abused the

surveillance powers that it has been granted. But this time, they say, things

will be different. New technologies will allow us to employ ―smart

regulation‖ that will be immune to human incentives. There is little reason

not to be skeptical of these suggestions.

CONCLUSION

Cybersecurity is an important policy issue, but the alarmist rhetoric

coming out of Washington that focuses on worst-case scenarios is unhelpful

and dangerous. Aspects of current cyber policy discourse parallel the run-up

to the Iraq War and pose the same dangers. Pre-war threat inflation and

conflation of threats led us into war on shaky evidence. By focusing on

doomsday scenarios and conflating cyber threats, government officials

threaten to legislate, regulate, or spend in the name of cybersecurity based

largely on fear, misplaced rhetoric, conflated threats, and credulous

reporting. The public should have access to classified evidence of cyber

threats, and further examination of the risks posed by those threats, before

sound policies can be proposed, let alone enacted.

Furthermore, we cannot ignore parallels between the military-industrial

complex and the burgeoning cybersecurity industry. As President

Eisenhower noted, we must have checks and balances on the close

relationships between parties in government, defense, and industry.

Relationships between these parties and their potential conflicts of interest

must be considered when weighing cybersecurity policy recommendations

and proposals.

Before enacting policy in response to cyber threats, policymakers

should consider a few things. First, theyshould end the cyber rhetoric. The

alarmist rhetoric currently dominating the policy discourse is unhelpful and

potentially dangerous. Next, they should declassify evidence relating to

cyber threats. Overclassification is a widely acknowledged problem, and

History, Mercatus Center Working Paper No. 11-01, January 2011.

248Wildavsky, Aaron, ―Playing It Safe Is Dangerous,‖ Regulatory Toxicology and

Pharmacology 8, 1988, p. 287.


declassification would allow the public to verify before trusting blindly.

They must also disentangle the disparate cyber threats so that they can

determine who is best suited to address which threats. In cases of cyber

crime and cyber espionage, for instance, private network owners may be

best suited and may have the best incentive to protect their own valuable

data, information, and reputations. After disentangling threats, policymakers

can then assess whether a market failure or systemic problem exists when it

comes to addressing each threat. Finally, they can estimate the costs and

benefits of regulation and its alternatives and determine the most effective

and efficient way to address disparate cyber threats.

No one wants a ―cyber Katrina‖ or a ―digital Pearl Harbor.‖ But

honestly assessing cyber threats and appropriate responses does not mean

that we have to learn to stop worrying and love the cyber bomb.

* * *

april 2011 working paper - mercatus center · and were likely meant to build artillery rockets.24...

Documents